* [nft] segfault bug in simple ruleset, regression?
@ 2015-09-09 11:28 Arturo Borrero Gonzalez
2015-09-09 14:29 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2015-09-09 11:28 UTC (permalink / raw)
To: Netfilter Development Mailing list; +Cc: Pablo Neira Ayuso, Patrick McHardy, fw
[-- Attachment #1: Type: text/plain, Size: 1977 bytes --]
Hi,
with current HEAD of nftables [0663bfe ("mnl: rework netlink socket
receive path for events")] and with current nf-next HEAD kernel
[851345c ("netfilter: reduce sparse warnings")] i'm hitting a
segfault.
There seem to be a strcmp over a NULL string.
Unfortunately I can't try to solve this myself right now.
It can be reproduced with this simple file:
========== 8< ==========
flush ruleset
table inet filter {
chain test0 {
}
chain test1 {
}
chain test2 {
}
chain test {
oif vmap {
eth0 : jump test0,
eth1 : jump test1,
eth2 : jump test2
}
}
}
========== 8< ==========
loaded with:
% nft -f file
produces:
nft[2307]: segfault at 100000000 ip 00007f3f0a3ea27a sp
00007ffe04e524a8 error 4 in libc-2.19.so[7f3f0a36a000+19f000]
The gdb backtrace:
[...]
(gdb) bt
#0 __strcmp_sse2 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00000000004078a4 in chain_lookup (table=table@entry=0x653950,
h=h@entry=0x6539f0) at rule.c:518
#2 0x000000000040e771 in chain_evaluate
(ctx=ctx@entry=0x7fffffffe4c8, chain=chain@entry=0x6539e0) at
evaluate.c:1873
#3 0x000000000040ee6f in table_evaluate (table=0x654920,
ctx=0x7fffffffe4c8) at evaluate.c:1919
#4 cmd_evaluate_add (cmd=<optimized out>, ctx=0x7fffffffe4c8) at
evaluate.c:1940
#5 cmd_evaluate (ctx=0x7fffffffe4c8, cmd=<optimized out>) at evaluate.c:2098
#6 0x00000000004257f0 in nft_parse (scanner=scanner@entry=0x64f4b0,
state=state@entry=0x7fffffffdee0) at parser_bison.y:566
#7 0x00000000004063ed in nft_run (scanner=scanner@entry=0x64f4b0,
state=state@entry=0x7fffffffdee0, msgs=msgs@entry=0x7fffffffded0) at
main.c:231
#8 0x0000000000406052 in main (argc=<optimized out>, argv=<optimized
out>) at main.c:357
Find attached valgrind report.
--
Arturo Borrero González
[-- Attachment #2: valgrind.txt --]
[-- Type: text/plain, Size: 11140 bytes --]
% sudo valgrind nft -f ruleset.nft
==2239== Memcheck, a memory error detector
==2239== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2239== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==2239== Command: nft -f ruleset.nft
==2239==
==2239== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==2239== at 0x580E143: __sendto_nocancel (syscall-template.S:81)
==2239== by 0x419BA2: nft_mnl_talk (mnl.c:80)
==2239== by 0x41B08C: mnl_nft_set_dump (mnl.c:772)
==2239== by 0x41350B: netlink_list_sets (netlink.c:1248)
==2239== by 0x407448: cache_init_objects (rule.c:79)
==2239== by 0x407448: cache_init (rule.c:133)
==2239== by 0x407448: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0xffeff971f is on thread 1's stack
==2239== in frame #2, created by mnl_nft_set_dump (mnl.c:750)
==2239==
==2239== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==2239== at 0x580E143: __sendto_nocancel (syscall-template.S:81)
==2239== by 0x419BA2: nft_mnl_talk (mnl.c:80)
==2239== by 0x41B442: mnl_nft_setelem_get (mnl.c:904)
==2239== by 0x41383A: netlink_get_setelems (netlink.c:1512)
==2239== by 0x4074AD: cache_init_objects (rule.c:87)
==2239== by 0x4074AD: cache_init (rule.c:133)
==2239== by 0x4074AD: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0xffeff970f is on thread 1's stack
==2239== in frame #2, created by mnl_nft_setelem_get (mnl.c:895)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B24: handle_merge (rule.c:46)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff808 is 0 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B2F: handle_merge (rule.c:48)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff810 is 8 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid write of size 8
==2239== at 0x406B3A: handle_merge (rule.c:49)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff810 is 8 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B3E: handle_merge (rule.c:50)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff818 is 16 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid write of size 8
==2239== at 0x406B49: handle_merge (rule.c:51)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff818 is 16 bytes after a block of size 184 alloc'd
==2239== at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==2239== by 0x4195AD: xmalloc (utils.c:36)
==2239== by 0x4195AD: xzalloc (utils.c:54)
==2239== by 0x407CAD: table_alloc (rule.c:651)
==2239== by 0x41078D: netlink_delinearize_table.isra.5 (netlink.c:923)
==2239== by 0x4107EC: list_table_cb (netlink.c:939)
==2239== by 0x5043B73: nft_table_list_foreach (table.c:535)
==2239== by 0x41300F: netlink_list_tables (netlink.c:960)
==2239== by 0x4073DC: cache_init_tables (rule.c:62)
==2239== by 0x4073DC: cache_init (rule.c:130)
==2239== by 0x4073DC: cache_update (rule.c:150)
==2239== by 0x40E9D9: cmd_evaluate (evaluate.c:2081)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239==
==2239== Invalid read of size 8
==2239== at 0x406B4D: handle_merge (rule.c:52)
==2239== by 0x40EE63: table_evaluate (evaluate.c:1918)
==2239== by 0x40EE63: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE63: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x5cff828 is 24 bytes after a block of size 192 in arena "client"
==2239==
==2239== Invalid read of size 1
==2239== at 0x4C2D1D3: strcmp (vg_replace_strmem.c:755)
==2239== by 0x4078A3: chain_lookup (rule.c:518)
==2239== by 0x40E770: chain_evaluate (evaluate.c:1873)
==2239== by 0x40EE6E: table_evaluate (evaluate.c:1919)
==2239== by 0x40EE6E: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE6E: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== Address 0x100000000 is not stack'd, malloc'd or (recently) free'd
==2239==
==2239==
==2239== Process terminating with default action of signal 11 (SIGSEGV)
==2239== Access not within mapped region at address 0x100000000
==2239== at 0x4C2D1D3: strcmp (vg_replace_strmem.c:755)
==2239== by 0x4078A3: chain_lookup (rule.c:518)
==2239== by 0x40E770: chain_evaluate (evaluate.c:1873)
==2239== by 0x40EE6E: table_evaluate (evaluate.c:1919)
==2239== by 0x40EE6E: cmd_evaluate_add (evaluate.c:1940)
==2239== by 0x40EE6E: cmd_evaluate (evaluate.c:2098)
==2239== by 0x4257EF: nft_parse (parser_bison.y:566)
==2239== by 0x4063EC: nft_run (main.c:231)
==2239== by 0x406051: main (main.c:357)
==2239== If you believe this happened as a result of a stack
==2239== overflow in your program's main thread (unlikely but
==2239== possible), you can try to increase the size of the
==2239== main thread stack using the --main-stacksize= flag.
==2239== The main thread stack size used in this run was 8388608.
==2239==
==2239== HEAP SUMMARY:
==2239== in use at exit: 25,953 bytes in 102 blocks
==2239== total heap usage: 161 allocs, 59 frees, 30,906 bytes allocated
==2239==
==2239== LEAK SUMMARY:
==2239== definitely lost: 0 bytes in 0 blocks
==2239== indirectly lost: 0 bytes in 0 blocks
==2239== possibly lost: 0 bytes in 0 blocks
==2239== still reachable: 25,953 bytes in 102 blocks
==2239== suppressed: 0 bytes in 0 blocks
==2239== Rerun with --leak-check=full to see details of leaked memory
==2239==
==2239== For counts of detected and suppressed errors, rerun with: -v
==2239== Use --track-origins=yes to see where uninitialised values come from
==2239== ERROR SUMMARY: 10 errors from 9 contexts (suppressed: 0 from 0)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [nft] segfault bug in simple ruleset, regression?
2015-09-09 11:28 [nft] segfault bug in simple ruleset, regression? Arturo Borrero Gonzalez
@ 2015-09-09 14:29 ` Pablo Neira Ayuso
2015-09-09 15:29 ` Florian Westphal
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-09 14:29 UTC (permalink / raw)
To: Arturo Borrero Gonzalez
Cc: Netfilter Development Mailing list, Patrick McHardy, fw
[-- Attachment #1: Type: text/plain, Size: 1349 bytes --]
On Wed, Sep 09, 2015 at 01:28:38PM +0200, Arturo Borrero Gonzalez wrote:
> Hi,
>
> with current HEAD of nftables [0663bfe ("mnl: rework netlink socket
> receive path for events")] and with current nf-next HEAD kernel
> [851345c ("netfilter: reduce sparse warnings")] i'm hitting a
> segfault.
> There seem to be a strcmp over a NULL string.
>
> Unfortunately I can't try to solve this myself right now.
>
> It can be reproduced with this simple file:
>
> ========== 8< ==========
> flush ruleset
> table inet filter {
> chain test0 {
> }
>
> chain test1 {
> }
>
> chain test2 {
> }
>
> chain test {
> oif vmap {
> eth0 : jump test0,
> eth1 : jump test1,
> eth2 : jump test2
> }
> }
> }
> ========== 8< ==========
>
> loaded with:
> % nft -f file
I cannot reproduce this here using this:
table inet filter {
chain test0 {
}
chain test1 {
}
chain test2 {
}
chain test {
oif vmap {
eth0 : jump test0,
wlan0 : jump test1,
lo : jump test2
}
}
}
See file attached. Are you sure you're using latest nft?
[-- Attachment #2: out.txt --]
[-- Type: text/plain, Size: 9945 bytes --]
# valgrind nft -f file
==4151== Memcheck, a memory error detector
==4151== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==4151== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==4151== Command: nft -f l
==4151==
==4151== Conditional jump or move depends on uninitialised value(s)
==4151== at 0x4017741: index (strchr.S:40)
==4151== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151== by 0x400756B: fillin_rpath (dl-load.c:495)
==4151== by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4151== by 0x4002BC9: dl_main (rtld.c:1348)
==4151== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151== by 0x4004A15: _dl_start (rtld.c:331)
==4151== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151== by 0x2: ???
==4151== by 0x7FF0006FE: ???
==4151== by 0x7FF000702: ???
==4151== by 0x7FF000705: ???
==4151==
==4151== Use of uninitialised value of size 8
==4151== at 0x401774F: index (strchr.S:47)
==4151== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151== by 0x400756B: fillin_rpath (dl-load.c:495)
==4151== by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4151== by 0x4002BC9: dl_main (rtld.c:1348)
==4151== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151== by 0x4004A15: _dl_start (rtld.c:331)
==4151== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151== by 0x2: ???
==4151== by 0x7FF0006FE: ???
==4151== by 0x7FF000702: ???
==4151== by 0x7FF000705: ???
==4151==
==4151== Conditional jump or move depends on uninitialised value(s)
==4151== at 0x40177B4: index (strchr.S:77)
==4151== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151== by 0x400800D: _dl_map_object (dl-load.c:2538)
==4151== by 0x400137D: map_doit (rtld.c:626)
==4151== by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4151== by 0x4000B2E: do_preload (rtld.c:815)
==4151== by 0x4004127: dl_main (rtld.c:1634)
==4151== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151== by 0x4004A15: _dl_start (rtld.c:331)
==4151== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151== by 0x2: ???
==4151== by 0x7FF0006FE: ???
==4151==
==4151== Use of uninitialised value of size 8
==4151== at 0x401786D: index (strchr.S:135)
==4151== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4151== by 0x400800D: _dl_map_object (dl-load.c:2538)
==4151== by 0x400137D: map_doit (rtld.c:626)
==4151== by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4151== by 0x4000B2E: do_preload (rtld.c:815)
==4151== by 0x4004127: dl_main (rtld.c:1634)
==4151== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4151== by 0x4004A15: _dl_start (rtld.c:331)
==4151== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4151== by 0x2: ???
==4151== by 0x7FF0006FE: ???
==4151==
==4151== Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s)
==4151== at 0x58080B0: __sendmsg_nocancel (syscall-template.S:81)
==4151== by 0x41A027: mnl_batch_talk (mnl.c:241)
==4151== by 0x4064E7: nft_run (main.c:203)
==4151== by 0x40601C: main (main.c:357)
==4151== Address 0x5cfac27 is 71 bytes inside a block of size 200,703 alloc'd
==4151== at 0x4C29BED: malloc (vg_replace_malloc.c:263)
==4151== by 0x503F171: nftnl_batch_page_alloc.isra.0 (batch.c:36)
==4151== by 0x503F1FF: nft_batch_alloc (batch.c:73)
==4151== by 0x419D98: mnl_batch_init (mnl.c:135)
==4151== by 0x4063EE: nft_run (main.c:185)
==4151== by 0x40601C: main (main.c:357)
==4151==
==4151==
==4151== HEAP SUMMARY:
==4151== in use at exit: 834 bytes in 3 blocks
==4151== total heap usage: 123 allocs, 120 frees, 227,812 bytes allocated
==4151==
==4151== LEAK SUMMARY:
==4151== definitely lost: 2 bytes in 1 blocks
==4151== indirectly lost: 0 bytes in 0 blocks
==4151== possibly lost: 0 bytes in 0 blocks
==4151== still reachable: 832 bytes in 2 blocks
==4151== suppressed: 0 bytes in 0 blocks
==4151== Rerun with --leak-check=full to see details of leaked memory
==4151==
==4151== For counts of detected and suppressed errors, rerun with: -v
==4151== Use --track-origins=yes to see where uninitialised values come from
==4151== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
# valgrind nft -f file
==4154== Memcheck, a memory error detector
==4154== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==4154== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==4154== Command: nft -f l
==4154==
==4154== Conditional jump or move depends on uninitialised value(s)
==4154== at 0x4017741: index (strchr.S:40)
==4154== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154== by 0x400756B: fillin_rpath (dl-load.c:495)
==4154== by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4154== by 0x4002BC9: dl_main (rtld.c:1348)
==4154== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154== by 0x4004A15: _dl_start (rtld.c:331)
==4154== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154== by 0x2: ???
==4154== by 0x7FF0006FE: ???
==4154== by 0x7FF000702: ???
==4154== by 0x7FF000705: ???
==4154==
==4154== Use of uninitialised value of size 8
==4154== at 0x401774F: index (strchr.S:47)
==4154== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154== by 0x400756B: fillin_rpath (dl-load.c:495)
==4154== by 0x4007CF9: _dl_init_paths (dl-load.c:872)
==4154== by 0x4002BC9: dl_main (rtld.c:1348)
==4154== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154== by 0x4004A15: _dl_start (rtld.c:331)
==4154== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154== by 0x2: ???
==4154== by 0x7FF0006FE: ???
==4154== by 0x7FF000702: ???
==4154== by 0x7FF000705: ???
==4154==
==4154== Conditional jump or move depends on uninitialised value(s)
==4154== at 0x40177B4: index (strchr.S:77)
==4154== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154== by 0x400800D: _dl_map_object (dl-load.c:2538)
==4154== by 0x400137D: map_doit (rtld.c:626)
==4154== by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4154== by 0x4000B2E: do_preload (rtld.c:815)
==4154== by 0x4004127: dl_main (rtld.c:1634)
==4154== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154== by 0x4004A15: _dl_start (rtld.c:331)
==4154== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154== by 0x2: ???
==4154== by 0x7FF0006FE: ???
==4154==
==4154== Use of uninitialised value of size 8
==4154== at 0x401786D: index (strchr.S:135)
==4154== by 0x40073DD: expand_dynamic_string_token (dl-load.c:425)
==4154== by 0x400800D: _dl_map_object (dl-load.c:2538)
==4154== by 0x400137D: map_doit (rtld.c:626)
==4154== by 0x400E8B3: _dl_catch_error (dl-error.c:187)
==4154== by 0x4000B2E: do_preload (rtld.c:815)
==4154== by 0x4004127: dl_main (rtld.c:1634)
==4154== by 0x40152B4: _dl_sysdep_start (dl-sysdep.c:249)
==4154== by 0x4004A15: _dl_start (rtld.c:331)
==4154== by 0x4001197: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)
==4154== by 0x2: ???
==4154== by 0x7FF0006FE: ???
==4154==
==4154== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==4154== at 0x5808113: __sendto_nocancel (syscall-template.S:81)
==4154== by 0x4198B2: nft_mnl_talk (mnl.c:80)
==4154== by 0x41AED3: mnl_nft_set_dump (mnl.c:772)
==4154== by 0x41322B: netlink_list_sets (netlink.c:1248)
==4154== by 0x407647: cache_update (rule.c:79)
==4154== by 0x40E759: cmd_evaluate (evaluate.c:2081)
==4154== by 0x424E05: nft_parse (parser_bison.y:566)
==4154== by 0x4063AC: nft_run (main.c:231)
==4154== by 0x40601C: main (main.c:357)
==4154== Address 0x7feff956f is on thread 1's stack
==4154==
==4154== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==4154== at 0x5808113: __sendto_nocancel (syscall-template.S:81)
==4154== by 0x4198B2: nft_mnl_talk (mnl.c:80)
==4154== by 0x41B2C2: mnl_nft_setelem_get (mnl.c:904)
==4154== by 0x41356A: netlink_get_setelems (netlink.c:1512)
==4154== by 0x4076AC: cache_update (rule.c:87)
==4154== by 0x40E759: cmd_evaluate (evaluate.c:2081)
==4154== by 0x424E05: nft_parse (parser_bison.y:566)
==4154== by 0x4063AC: nft_run (main.c:231)
==4154== by 0x40601C: main (main.c:357)
==4154== Address 0x7feff955f is on thread 1's stack
==4154==
==4154== Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s)
==4154== at 0x58080B0: __sendmsg_nocancel (syscall-template.S:81)
==4154== by 0x41A027: mnl_batch_talk (mnl.c:241)
==4154== by 0x4064E7: nft_run (main.c:203)
==4154== by 0x40601C: main (main.c:357)
==4154== Address 0x5cfd047 is 71 bytes inside a block of size 200,703 alloc'd
==4154== at 0x4C29BED: malloc (vg_replace_malloc.c:263)
==4154== by 0x503F171: nftnl_batch_page_alloc.isra.0 (batch.c:36)
==4154== by 0x503F1FF: nft_batch_alloc (batch.c:73)
==4154== by 0x419D98: mnl_batch_init (mnl.c:135)
==4154== by 0x4063EE: nft_run (main.c:185)
==4154== by 0x40601C: main (main.c:357)
==4154==
==4154==
==4154== HEAP SUMMARY:
==4154== in use at exit: 834 bytes in 3 blocks
==4154== total heap usage: 189 allocs, 186 frees, 232,448 bytes allocated
==4154==
==4154== LEAK SUMMARY:
==4154== definitely lost: 2 bytes in 1 blocks
==4154== indirectly lost: 0 bytes in 0 blocks
==4154== possibly lost: 0 bytes in 0 blocks
==4154== still reachable: 832 bytes in 2 blocks
==4154== suppressed: 0 bytes in 0 blocks
==4154== Rerun with --leak-check=full to see details of leaked memory
==4154==
==4154== For counts of detected and suppressed errors, rerun with: -v
==4154== Use --track-origins=yes to see where uninitialised values come from
==4154== ERROR SUMMARY: 7 errors from 7 contexts (suppressed: 0 from 0)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [nft] segfault bug in simple ruleset, regression?
2015-09-09 14:29 ` Pablo Neira Ayuso
@ 2015-09-09 15:29 ` Florian Westphal
2015-09-09 16:01 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2015-09-09 15:29 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Arturo Borrero Gonzalez, Netfilter Development Mailing list,
Patrick McHardy, fw
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > flush ruleset
> > table inet filter {
> > chain test0 {
> > }
> >
> > chain test1 {
> > }
> >
> > chain test2 {
> > }
> >
> > chain test {
> > oif vmap {
> > eth0 : jump test0,
> > eth1 : jump test1,
> > eth2 : jump test2
> > }
> > }
> > }
> > ========== 8< ==========
> >
> > loaded with:
> > % nft -f file
>
> I cannot reproduce this here using this:
I can reproduce it, but with slight tweak.
flush ruleset
table inet filter {
chain test0 {
}
chain test {
oif vmap {
eth0 : jump test0,
}
}
}
(load it with nft -f )
Then edit file to add 2nd chain:
flush ruleset
table inet filter {
chain test0 {
}
chain test1 {
}
chain test {
oif vmap {
eth0 : jump test0,
lo: jump test1,
}
}
}
load it. poof..
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [nft] segfault bug in simple ruleset, regression?
2015-09-09 15:29 ` Florian Westphal
@ 2015-09-09 16:01 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-09 16:01 UTC (permalink / raw)
To: Florian Westphal
Cc: Arturo Borrero Gonzalez, Netfilter Development Mailing list,
Patrick McHardy
On Wed, Sep 09, 2015 at 05:29:24PM +0200, Florian Westphal wrote:
> I can reproduce it, but with slight tweak.
>
> flush ruleset
> table inet filter {
> chain test0 {
> }
> chain test {
> oif vmap {
> eth0 : jump test0,
> }
> }
> }
>
> (load it with nft -f )
>
> Then edit file to add 2nd chain:
> flush ruleset
> table inet filter {
> chain test0 {
> }
> chain test1 {
> }
> chain test {
> oif vmap {
> eth0 : jump test0,
> lo: jump test1,
> }
> }
> }
>
> load it. poof..
Thanks, I can now reproduce this. This is related to the cache
consolidation, will look at this asap.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-09 15:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-09 11:28 [nft] segfault bug in simple ruleset, regression? Arturo Borrero Gonzalez
2015-09-09 14:29 ` Pablo Neira Ayuso
2015-09-09 15:29 ` Florian Westphal
2015-09-09 16:01 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).